Open Source Fuzzing Library Open

Thursday, May 16, 2013 @ 07:05 PM gHale

A data fuzzing library of open source software called Fuzzino is now up and running.

This library allows existing test tools to prepare for fuzzing and looks to eliminate the need to reinvent the wheel and make developing new fuzzing tools unnecessary, said researchers from FOKUS (Fraunhofer Institute for Open Communication Systems in Germany). Fuzzing is the process of testing a system for hidden weaknesses by presenting the system with random and sometimes erroneous input data.

Firms Don’t Budget to Protect IP
Manufacturing Most Attacked Industry
Simulated Attacks Hike Security Awareness
Malware Attacks Hit Constantly

Fuzzino uses models of protocols or interfaces to generate test cases and then uses “Smart Fuzzing” heuristics to generate Data fuzzing and Behavioral fuzzing.

This reduces the number of test cases needed over purely random fuzzing, researchers said. An example given is work done by FOKUS and system experts on a risk assessment for a money-processing machine.

The experts examined the system’s protocols, developed functional test cases and then used those test cases to fuzz the system. The results of that fuzzing generated more test cases from which specific security tests could generate. This process offered a far higher coverage of risk than a user could normally manage in the same time.

Eclipse is the underlying technology behind Fuzzino and users will need Eclipse EMF 2.7 and JUnit 4 to compile it and integrate it with their testing tools.

FOKUS developers said users should keep in mind Fuzzino is not a full featured fuzzing tool. They describe it as “a test data generator for enabling your testing tool to perform fuzzing.” Users can receive fuzz data from the tool as XML documents or directly within Java to avoid the processor intensive serialization and deserialization process. Users can also directly instantiate fuzzing heuristics from Fuzzino in their testing tool.

More information on how to use the tool is available in the documentation folder of the source code. Fuzzino has a license under version 2.0 of the Apache License.

As mentioned, fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program then undergoes monitoring for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing commonly sees use to test for security problems in software or computer systems.

Leave a Reply

You must be logged in to post a comment.